From owner-freebsd-isp@FreeBSD.ORG Tue Feb 17 08:25:01 2004 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A074116A4CE for ; Tue, 17 Feb 2004 08:25:01 -0800 (PST) Received: from pegmatite.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id 867FE43D1D for ; Tue, 17 Feb 2004 08:25:01 -0800 (PST) (envelope-from damian@sentex.net) Received: by pegmatite.sentex.ca (Postfix, from userid 1001) id 440A5B949; Tue, 17 Feb 2004 11:24:57 -0500 (EST) Date: Tue, 17 Feb 2004 11:24:57 -0500 From: Damian Gerow To: isp@freebsd.org Message-ID: <20040217162457.GB59940@sentex.net> Mail-Followup-To: isp@freebsd.org References: <20040216214437.GC65551@lewiz.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-GPG-Key-Id: 0xB841F142 X-GPG-Fingerprint: C7C1 E1D1 EC06 7C86 AF7C 57E6 173D 9CF6 B841 F142 X-Habeas-SWE-1: winter into spring X-Habeas-SWE-2: brightly anticipated X-Habeas-SWE-3: like Habeas SWE (tm) X-Habeas-SWE-4: Copyright 2002 Habeas (tm) X-Habeas-SWE-5: Sender Warranted Email (SWE) (tm). The sender of this X-Habeas-SWE-6: email in exchange for a license for this Habeas X-Habeas-SWE-7: warrant mark warrants that this is a Habeas Compliant X-Habeas-SWE-8: Message (HCM) and not spam. Please report use of this X-Habeas-SWE-9: mark in spam to . User-Agent: Mutt/1.5.4i Subject: Re: Apache and home directories (file browser). X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Feb 2004 16:25:01 -0000 Thus spake Andy Dills (andy@xecu.net) [16/02/04 17:51]: > > I think this is what I'm looking for, yes. Since I posted this I asked > > some questions on IRC and somebody mentioned that Apache can be chrooted > > to the uid of a script's owner (similar in a way to safe_mode in PHP). > > This would surely then allow files to be read/written by Apache in a > > secure fashion. > While you can chroot apache, that's serverwide, not per-virtualhost. > > If I were you and I wanted to do what you're talking about, I'd use suexec > with perl scripts. AFAIK, that's the only way to do it correctly. I get the impression that's what was meant, and this is just a confusion of terms. You don't chroot to a uid, you generally 'drop' privileges to a uid. To answer the question.. > > My worry here is that Apache would have to be running as root to > > chroot -- can anybody confirm this for me? (Indeed, can anybody confirm > > that it is even possible to do this?) When you start Apache, you need to start it as root, then it drops privileges to, for later versions of FreeBSD, uid www. If you have suexec set up, I don't know exactly how it works, but it drops privileges from root (who starts httpd) to whichever user suexec is configured to. - Damian